JWS signature invalid

I am trying to use the Assignment and Grade Services in a tool and am stuck on retrieving an access token. I am following the instructions here to make a post request to /login/oauth2/token with a grant_type of client_credentials.

Here is the information contained in the body of the post request:

{'scope': '', 
'grant_type': 'client_credentials', 
'client_assertion': u'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwMDAwMDAwMTUyOCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC8iLCJqdGkiOiIxMjM0NTY3ODkwOTg3NjU0MzIxIiwiZXhwIjoxNTk4ODkyOTA4LjkyNjA0OSwiaWF0IjoxNTk4ODg5MzA4LjkyNjA0OSwiYXVkIjoiaHR0cHM6Ly93aWxleS5pbnN0cnVjdHVyZS5jb20vbG9naW4vb2F1dGgyL3Rva2VuIn0.NZOjZ-i-s7HvTiOL-wv50ptPIAiR10RyhaAksmLFqAEjPP0T1cO8TdDR0NXBkV5IupyLzW5Cm8AUgucz_LPyjbLwK48ZCbWqo6Z7_LabpQlzW4clqDh6V4DEBwl8pmRSsLrvNTCJHIQwiTbXFpRR0rGCtSQXAhNbvxh6GqL_HE1WJA2MaBLWtHdYKwMruHlSeEVIvCfb-g0Mw6XnmEodKkhAqO8c29LgZRmL80qSBImNrbLbWx7-DltV4Me-OeqUs_3hWUtzoTGTu2P7G8Wu6we-Hio45Qv9YIK-vcr6YYJO3JInxcUdF5b6cLrScEWQHyCn8c6fUUlMBjJPfiu6tQ', 
'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

Decoded JWT:

  "sub": "10000000001528",
  "iss": "http://localhost:5000/",
  "jti": "1234567890987654321",
  "exp": 1598892908.926049,
  "iat": 1598889308.926049,
  "aud": ""

Using the following public key, I can verify that the signature for the jwt in the client_assertion field is valid by entering it into

The LTI tool is configured as follows:



In the Public JWK field I have the following:

    "e": "AQAB",
    "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2kl1OwVx3D6UHFmnVoZ++9hWqp+c6Fg1mLMLJOIRKIGzh/nzLtbTQm+8+ilY05hHke9P+VO3i2Okece/JkCu9LbJWIIgi4sSPX0ZKgVmTt7rnSEYeg0hRqj1W2NDIyXf91c4jLQH0FbWSd70h503z1Q3AxcnUNkjuYP+5wsPhKoGT9Uk6I6aZUvDNlv+0Bm9/caqJDtYUASLZT/DlrEM3dkTCsgdJxW45oCF5cwfNQHV8gAMH0u3+KGxPBnO9WfR4UEKh+JD7iY70b0y3vOpMJFTWOZK1sZ7B0PppEId1zuxNT5arXMftSoJKnyoI6d3MgkRz2e2KO58AbbQK3poQIDAQAB",
    "alg": "RS256",
    "kid": "10000000001528",
    "kty": "RSA",
    "use": "sig"

And under LTI Advantage Services I have enabled all permissions.

I am stumped why this is not working. When I make the post request to https://<mydomain>/login/oauth2/token all I receive is this:

{"error":"invalid_request","error_description":"JWS signature invalid."}

 But the signature is valid.

It worked! What format did you use for the "n" field?

I merely converted the PEM format into JWKS format using PHP code.

Awesome, thank you so much!

How can I get the n parameter? I don't understand wich is its origin

I use one of the JWT PHP libraries to handle the conversion.  For example, the public key you quoted translates into:

To convert this yourself you could try using the latest version of my saLTIre test tool for LTI at  Try this:

  1. Select "1.3.0" as the LTI version on the Security Model page.
  2. Paste your PEM key into the Public key field in the Tool Details section .
  3. Click on the Save button in the header.
  4. Click on the View as JSON button next to the Public key field.

Thank you, this helps me a lot. I'll test it and confirm you.

In my case, this JWS signature invalid error was caused by the fact that Canvas requires a Public JWK URL to be truly public, which means that, for localhost development use, you will need to paste a Public JWK into the Public JWK field. Note that you also need to delete any URL entered into Public JWK URL as it appears to default to this, even if you select Public JWK.

